This diff removes more unused code.
Eric.
Index: config.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/config.c,v
retrieving revision 1.55
diff -u -p -r1.55 config.c
--- config.c 9 Apr 2021 16:43:43 -0000 1.55
+++ config.c 25 May 2021 20:31:16 -0000
@@ -285,7 +285,6 @@ purge_config(uint8_t what)
while (dict_poproot(env->sc_pki_dict, (void **)&p)) {
freezero(p->pki_cert, p->pki_cert_len);
freezero(p->pki_key, p->pki_key_len);
- EVP_PKEY_free(p->pki_pkey);
free(p);
}
free(env->sc_pki_dict);
@@ -298,8 +297,6 @@ purge_config(uint8_t what)
p->pki_cert = NULL;
freezero(p->pki_key, p->pki_key_len);
p->pki_key = NULL;
- EVP_PKEY_free(p->pki_pkey);
- p->pki_pkey = NULL;
}
}
}
Index: ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl.c,v
retrieving revision 1.94
diff -u -p -r1.94 ssl.c
--- ssl.c 5 Mar 2021 12:37:32 -0000 1.94
+++ ssl.c 25 May 2021 20:39:30 -0000
@@ -65,41 +65,7 @@ ssl_init(void)
inited = 1;
}
-int
-ssl_setup(SSL_CTX **ctxp, struct pki *pki,
- int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
-{
- SSL_CTX *ctx;
- uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
-
- ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len,
ciphers);
-
- /*
- * Set session ID context to a random value. We don't support
- * persistent caching of sessions so it is OK to set a temporary
- * session ID context that is valid during run time.
- */
- arc4random_buf(sid, sizeof(sid));
- if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
- goto err;
-
- if (sni_cb)
- SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
-
- SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
-
- SSL_CTX_set_ecdh_auto(ctx, 1);
-
- *ctxp = ctx;
- return 1;
-
-err:
- SSL_CTX_free(ctx);
- ssl_error("ssl_setup");
- return 0;
-}
-
-char *
+static char *
ssl_load_file(const char *name, off_t *len, mode_t perm)
{
struct stat st;
@@ -177,7 +143,7 @@ end:
return ret;
}
-char *
+static char *
ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char
*pkiname)
{
FILE *fp = NULL;
@@ -253,53 +219,6 @@ fail:
return (NULL);
}
-SSL_CTX *
-ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len, const char
*ciphers)
-{
- SSL_CTX *ctx;
- size_t pkinamelen = 0;
-
- ctx = SSL_CTX_new(SSLv23_method());
- if (ctx == NULL) {
- ssl_error("ssl_ctx_create");
- fatal("ssl_ctx_create: could not create SSL context");
- }
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
- SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
- SSL_CTX_set_options(ctx,
- SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET);
- SSL_CTX_set_options(ctx,
- SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
- SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-
- if (ciphers == NULL)
- ciphers = SSL_CIPHERS;
- if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
- ssl_error("ssl_ctx_create");
- fatal("ssl_ctx_create: could not set cipher list");
- }
-
- if (cert != NULL) {
- if (pkiname != NULL)
- pkinamelen = strlen(pkiname) + 1;
- if (!SSL_CTX_use_certificate_chain_mem(ctx, cert, cert_len)) {
- ssl_error("ssl_ctx_create");
- fatal("ssl_ctx_create: invalid certificate chain");
- } else if (!ssl_ctx_fake_private_key(ctx,
- pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {
- ssl_error("ssl_ctx_create");
- fatal("ssl_ctx_create: could not fake private key");
- } else if (!SSL_CTX_check_private_key(ctx)) {
- ssl_error("ssl_ctx_create");
- fatal("ssl_ctx_create: invalid private key");
- }
- }
-
- return (ctx);
-}
-
int
ssl_load_certificate(struct pki *p, const char *pathname)
{
@@ -329,19 +248,6 @@ ssl_load_cafile(struct ca *c, const char
return 1;
}
-const char *
-ssl_to_text(const SSL *ssl)
-{
- static char buf[256];
-
- (void)snprintf(buf, sizeof buf, "%s:%s:%d",
- SSL_get_version(ssl),
- SSL_get_cipher_name(ssl),
- SSL_get_cipher_bits(ssl, NULL));
-
- return (buf);
-}
-
void
ssl_error(const char *where)
{
@@ -352,103 +258,6 @@ ssl_error(const char *where)
ERR_error_string_n(code, errbuf, sizeof(errbuf));
log_debug("debug: SSL library error: %s: %s", where, errbuf);
}
-}
-
-int
-ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
- X509 **x509ptr, EVP_PKEY **pkeyptr)
-{
- BIO *in;
- X509 *x509 = NULL;
- EVP_PKEY *pkey = NULL;
- RSA *rsa = NULL;
- EC_KEY *eckey = NULL;
- void *exdata = NULL;
-
- if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB);
- return (0);
- }
-
- if ((x509 = PEM_read_bio_X509(in, NULL,
- ssl_password_cb, NULL)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB);
- goto fail;
- }
-
- if ((pkey = X509_get_pubkey(x509)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_X509_LIB);
- goto fail;
- }
-
- BIO_free(in);
- in = NULL;
-
- if (data != NULL && datalen) {
- if (((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL &&
- (eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) ||
- (exdata = malloc(datalen)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
- goto fail;
- }
-
- memcpy(exdata, data, datalen);
- if (rsa)
- RSA_set_ex_data(rsa, 0, exdata);
- if (eckey)
- ECDSA_set_ex_data(eckey, 0, exdata);
- RSA_free(rsa); /* dereference, will be cleaned up with pkey */
- EC_KEY_free(eckey); /* dereference, will be cleaned up with
pkey */
- }
-
- *x509ptr = x509;
- *pkeyptr = pkey;
-
- return (1);
-
- fail:
- RSA_free(rsa);
- EC_KEY_free(eckey);
- BIO_free(in);
- EVP_PKEY_free(pkey);
- X509_free(x509);
- free(exdata);
-
- return (0);
-}
-
-int
-ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
- char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
-{
- int ret = 0;
- EVP_PKEY *pkey = NULL;
- X509 *x509 = NULL;
-
- if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
- return (0);
-
- /*
- * Use the public key as the "private" key - the secret key
- * parameters are hidden in an extra process that will be
- * contacted by the RSA engine. The SSL/TLS library needs at
- * least the public key parameters in the current process.
- */
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- if (!ret)
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_LIB_SSL);
-
- if (pkeyptr != NULL)
- *pkeyptr = pkey;
- else
- EVP_PKEY_free(pkey);
-
- if (x509ptr != NULL)
- *x509ptr = x509;
- else
- X509_free(x509);
-
- return (ret);
}
static void
Index: ssl.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl.h,v
retrieving revision 1.23
diff -u -p -r1.23 ssl.h
--- ssl.h 11 Apr 2021 07:18:08 -0000 1.23
+++ ssl.h 25 May 2021 20:39:53 -0000
@@ -15,11 +15,6 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#include <openssl/ssl.h>
-
-#define SSL_CIPHERS "HIGH:!aNULL:!MD5"
-#define SSL_SESSION_TIMEOUT 300
-
struct pki {
char pki_name[HOST_NAME_MAX+1];
@@ -31,8 +26,6 @@ struct pki {
char *pki_key;
off_t pki_key_len;
- EVP_PKEY *pki_pkey;
-
int pki_dhe;
};
@@ -46,22 +39,9 @@ struct ca {
/* ssl.c */
-void ssl_init(void);
-int ssl_setup(SSL_CTX **, struct pki *,
- int (*)(SSL *, int *, void *), const char *);
-SSL_CTX *ssl_ctx_create(const char *, char *, off_t, const char
*);
-int ssl_cmp(struct pki *, struct pki *);
-char *ssl_load_file(const char *, off_t *, mode_t);
-char *ssl_load_key(const char *, off_t *, char *, mode_t, const char
*);
-
-const char *ssl_to_text(const SSL *);
-void ssl_error(const char *);
-
-int ssl_load_certificate(struct pki *, const char *);
-int ssl_load_keyfile(struct pki *, const char *, const char *);
-int ssl_load_cafile(struct ca *, const char *);
-int ssl_load_pkey(const void *, size_t, char *, off_t,
- X509 **, EVP_PKEY **);
-int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
- char *, off_t, X509 **, EVP_PKEY **);
+void ssl_init(void);
+void ssl_error(const char *);
+int ssl_load_certificate(struct pki *, const char *);
+int ssl_load_keyfile(struct pki *, const char *, const char *);
+int ssl_load_cafile(struct ca *, const char *);
char *ssl_pubkey_hash(const char *, off_t);
